EVENT1) 20160718T164839.608 GMT INFO MESSAGE=" RES" SNAME="ABCD" ACCNO="123456"
EVENT2) 20160718T164831.111 GMT INFO MESSAGE=" REQ" SNAME="ABCD" ACCNO="123456"
EVENT3) 20160718T164822.076 GMT INFO MESSAGE=" RES" SNAME="ABCD" ACCNO="123456"
EVENT4) 20160718T164816.622 GMT INFO MESSAGE=" RES" SNAME="ABCD" ACCNO="765432"
EVENT5) 20160718T164810.655 GMT INFO MESSAGE=" REQ" SNAME="ABCD" ACCNO="123456"
EVENT6) 20160718T164802.646 GMT INFO MESSAGE=" REQ" SNAME="ABCD" ACCNO="765432"
Hi Folks,
I have a issue in splunk picking up the correct REQ and RES times in this events.
ACCNO:123456 event1(RES)-event2(REQ) =20160718T164839.608-20160718T164831.111= 8.***
ACCNO:123456 event3(RES)-event5(REQ) =20160718T164822.076-20160718T164810.655=12.***
ACCNO:765432 event4(RES)-event6(REQ) =20160718T164816.622-20160718T164802.646=14.***
My expected output:
ACCNO DURATION
123456 8. (some milli sec)
123456 12.(some milli sec)
765432 14.(some milli sec)
My current output (it is wrong scrab):
ACCNO DURATION
123456 8.497000
765432
123456 5.967000
765432
123456 19.430000
QUERY:
index=* sourcetype=* SNAME="ABCD" ACCNO=123456 OR ACCNO=765432 MESSAGE=REQ OR MESSAGE=RES| rex "(?\d{8}T\d{6}.\d{3})" | eval pe=strptime(pt, "%Y%m%dT%H%M%S.%f") | transaction SNAME startswith="REQ" endswith="RES" | eval duration = tonumber(mvindex(pe, -1)) - tonumber(mvindex(pe, 0)) | table ACCNO, duration,
Thanks
-venkata Sridhar
... View more